Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

VPN IPsec/GRE Tunnel Interface Optimization

Cisco IOS OER supports the optimization of prefixes that are routed over IPsec/GRE tunnel interfaces. The VPN tunnel interface is configured as OER external interfaces on the master controller. Figure 1 shows an OER-managed network that is configured to optimize VPN traffic. Cisco IOS OER is deployed at the central office and remote offices.

Figure 1 Cisco IOS OER Network Optimized for VPN Routing

This enhancement allows you to configure two-way VPN optimization. A master controller and border router process are enabled on each side of the VPN. Each site maintains a separate master controller database. VPN routes can be dynamically learned through the tunnel interfaces or can be configured. Prefix and exit link policies are configured for VPN prefixes through a standard Cisco IOS OER configuration.

Protection of Route Prefixes with IPsec over GRE Tunnels

The IPsec-to-GRE model allows a service provider to provide VPN services over the IP backbone. Both the central and remote VPN clients terminate according to the IPsec-to-IPsec model. Prefixes are encapsulated using GRE tunnels. The GRE packet is protected by IPsec. The encapsulated prefixes are forwarded from the central VPN site to a customer headend router that is the other endpoint for GRE. The IPsec-protected GRE packets provide secure connectivity across the IP backbone of the service provider network.

For more information about configuring IPsec over GRE tunnels, see the Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) document published at the following URL:

Configuring OER to Monitor and Control IPsec VPN Prefixes over GRE Tunnels

Perform this task to configure the IPsec VPN configuration over GRE tunnels. Initially the IPsec VPN is configured on a border router, and the tunnel interface is configured as an OER-managed external interface on the master controller. In this task an IKE policy is defined, a transform set is configured, a crypto profile and a crypto map are defined, and a GRE tunnel is configured.

The GRE tunnel and IPsec protection in this task are configured on the border router. The configuration steps in this task show how to configure a single tunnel. At least two tunnels must be configured on border routers in an OER-managed network. The IPsec configuration must be applied at each tunnel endpoint (the central and remote site).

Configuration of GRE Tunnel Interfaces As OER-Managed Exit Links

GRE tunnel interfaces on the border routers are configured as OER external interfaces on the master controller. At least two external tunnel interfaces must be configured on separate physical interfaces in an OER-managed network. These interfaces can be configured on a single border router or multiple border routers. Internal interfaces are configured normally using a physical interface that is on the border router and is reachable by the master controller.

Restrictions

Cisco IOS OER supports only IPsec/GRE VPNs. No other VPN types are supported.

•The example sets the mode to transport. The default mode is tunnel. Under tunnel mode, the entire packet is protected. Under transport mode, only the payload is protected. Encapsulation is performed by GRE.

Enables keepalive packets and specifies the number of times that the Cisco IOS software tries to send keepalive packets without a response before bringing down the interface or before bringing the tunnel protocol down for a specific interface.

Step 29

bandwidth {kbps | inherit [kbps]}

Example:

Router(config-if)# bandwidth 500

Router(config-if)# bandwidth inherit

Sets and communicates the current bandwidth value for an interface to higher-level protocols.

Configuring OER to Monitor and Control GRE/IPsec VPN Prefixes: Example

Figure 2 shows a central VPN site and two remote VPN sites. VPN peering is established through the service provider clouds. An OER-managed network is configured at each site where Cisco IOS OER configuration is applied independently. Each site has a separate master controller and border router process, and each site maintains a separate master controller database.

Figure 2

VPN Sites Controlled by OER-Managed Networks

Two GRE tunnels are configured between each remote site and the central site. VPN prefixes are encapsulated in GRE tunnels, which in turn are protected by IPsec encryption. The examples in this section show the configuration for the central VPN site, VPN A, and VPN B.

Central VPN Configuration: OER Master Controller

The central VPN site peers with VPN A and VPN B. A separate policy is defined for each site using an OER map. For VPN A prefixes, a delay policy of 80 ms is configured and out-of-policy prefixes are moved to the first in-policy exit. For VPN B prefixes, a delay policy of 40 ms and a relative loss policy are configured, and out-of-policy prefixes are moved to the best available exit.

key chain OER

key 1

key-string CISCO

!

oer master

logging

border 10.4.9.6 key-chain OER

interface Ethernet 0/0 external

interface Ethernet 0/1 internal

!

border 10.4.9.7 key-chain OER

interface Ethernet 0/0 external

interface Ethernet 0/1 internal

!

mode route control

mode monitor both

exit

!

ip prefix VPN A permit 10.4.9.25

oer-map VPNA

match ip address prefix-list VPNB

set delay 800

set mode select-exit good

exit

!

ip prefix VPNB permit 10.4.9.254

oer-map VPNB

match ip address prefix-list VPNC

set delay 400

set loss relative 100

set resolve loss priority 1 variance 10

set mode select-exit best

end

Central VPN Configuration: BR1

The following example, starting in global configuration mode, shows the central VPN configuration for BR1:

key chain OER

key 1

key-string CISCO

!

oer border

local serial 0/1

master 10.4.9.4 key-chain OER

!

ip route 10.70.1.0 255.255.255.0

!

route-map REDISTRIBUTE_STATIC

match tag 5000

set metric -10

exit

!

router eigrp 1

network 10.70.0.0 0.0.0.255

redistribute static route-map REDISTRIBUTE_STATIC

exit

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac

mode transport

exit

!

crypto map TUNNEL 10 ipsec-isakmp

set peer 10.4.9.81

set transform-set VPN_1

match address 100

!

crypto ipsec profile OER

set transform-set VPN_1

exit

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

encryption 3des

authentication pre-share

exit

!

interface Ethernet0/0

ip address 10.4.9.14 255.255.255.0

crypto map TUNNEL

exit

!

interface Tunnel0

ip address 10.100.2.1 255.255.0.0

keepalive 30 5

bandwidth 500

bandwidth inherit

tunnel mode gre ip

tunnel source 10.4.9.14

tunnel destination 10.4.9.81

tunnel protection ipsec profile OER

exit

Central VPN Configuration: BR2

The following example, starting in global configuration mode, shows the central VPN configuration of BR2:

key chain OER

key 1

key-string CISCO

!

oer border

local Ethernet 0/1

master 10.4.9.4 key-chain OER

!

ip route 10.70.1.0 255.255.255.0

!

route-map REDISTRIBUTE_STATIC

match tag 5000

set metric -10

exit

!

router eigrp 1

network 10.70.0.0 0.0.0.255

redistribute static route-map REDISTRIBUTE_STATIC

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac

mode transport

exit

!

crypto map TUNNEL 10 ipsec-isakmp

set peer 10.4.9.82

set transform-set VPN_1

match address 100

!

crypto ipsec profile OER

set transform-set VPN_1

exit

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

encryption 3des

authentication pre-share

exit

!

interface Ethernet0/0

ip address 10.4.9.15 255.255.255.0

crypto map TUNNEL

exit

!

interface Tunnel0

ip address 10.100.2.2 255.255.0.0

keepalive 30 5

bandwidth 500

bandwidth inherit

tunnel mode gre ip

tunnel source 10.4.9.15

tunnel destination 10.4.9.82

tunnel protection ipsec profile OER

end

Central VPN Configuration: Internal Peers

The following example shows an EIGRP routing process created to establish peering with the border routers and internal peers:

router eigrp 1

network 10.50.1.0 0.0.0.255

redistribute static route-map REDISTRIBUTE_STATIC

end

VPN A Configuration: MC/BR

The following configuration example, starting in global configuration mode, shows the configuration of VPN A. VPN A is a remote site that is configured for a small office home office (SOHO) client. A single router is deployed. This router peers with service provider B and service provider E. No Interior Gateway Protocol (IGP) is deployed at this network; only a static route is configured to the remote tunnel endpoint at the central site. A delay policy, a loss policy, and optimal exit link selection are configured so that traffic is always routed through the ISP with the lowest delay time and lowest packet loss. A resolve policy is configured to configure loss to have the highest priority. Neither the physical interface configuration nor the router IGP peering configurations are shown in this example.

key chain BR1

key 1

key-string CISCO

!

Note The local border router process is enabled. Because the border router and master controller process is enabled on the same router, a loopback interface (192.168.0.1) is configured as the local interface.

oer border

local Loopback0

master 192.168.0.1 key-chain BR1

!

oer master

learn

delay

mode route control

delay threshold 100

loss relative 200

periodic 300

mode select-exit good

resolve loss priority 1 variance 20

resolve delay priority 2 variance 10

!

border 192.168.0.1 key-chain BR1

interface Serial0/0 internal

interface Tunnel0 external

interface Tunnel0 external

exit

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac

mode transport

exit

!

crypto map TUNNEL 10 ipsec-isakmp

set peer 10.4.9.81

set transform-set VPN_1

match address 100

!

crypto ipsec profile OER

set transform-set VPN_1

exit

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.81 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

encryption 3des

authentication pre-share

exit

!

interface Ethernet0/0

ip address 10.4.9.14 255.255.255.0

crypto map TUNNEL

exit

!

interface Tunnel0

ip address 10.100.2.1 255.255.0.0

keepalive 30 5

bandwidth 500

bandwidth inherit

tunnel mode gre ip

tunnel source 10.4.9.14

tunnel destination 10.4.9.81

tunnel protection ipsec profile OER

exit

!

Note A single tunnel configuration is show in this example. Two tunnels are required to configure VPN optimization.

VPN B Configuration: OER Master Controller

The following example, starting in global configuration mode, shows the master controller configuration in VPN B. Load distribution and route control mode are enabled. Out-of-policy prefixes are configured to be moved to the first in-policy exit.

key chain OER

key 1

key-string CISCO

!

oer master

logging

border 10.4.9.6 key-chain OER

interface Ethernet 0/0 external

interface Ethernet 0/1 internal

!

border 10.4.9.7 key-chain OER

interface Ethernet 0/0 external

interface Ethernet 0/1 internal

!

mode route control

mode select-exit good

max-range utilization

!

learn

delay

end

VPN B Configuration: BR1

The following example, starting in global configuration mode, shows the VPN B configuration for BR1:

key chain OER

key 1

key-string CISCO

!

oer border

local Ethernet 0/1

master 10.4.9.4 key-chain OER

!

route-map REDISTRIBUTE_STATIC

match tag 5000

set metric -10

exit

!

router rip

network 10.60.1.0

redistribute static route-map REDISTRIBUTE_STATIC

end

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac

mode transport

exit

!

crypto map TUNNEL 10 ipsec-isakmp

set peer 10.4.9.82

set transform-set VPN_1

match address 100

!

crypto ipsec profile OER

set transform-set VPN_1

exit

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

encryption 3des

authentication pre-share

exit

!

interface Ethernet0/0

ip address 10.4.9.15 255.255.255.0

crypto map TUNNEL

exit

!

interface Tunnel0

ip address 10.100.2.2 255.255.0.0

keepalive 30 5

bandwidth 500

bandwidth inherit

tunnel mode gre ip

tunnel source 10.4.9.15

tunnel destination 10.4.9.82

tunnel protection ipsec profile OER

end

VPN B Configuration: BR2

The following example, starting in global configuration mode, shows the VPN B configuration for BR2:

key chain OER

key 1

key-string CISCO

!

oer border

local Ethernet 0/1

master 10.4.9.4 key-chain OER

exit

!

route-map REDISTRIBUTE_STATIC

match tag 5000

set metric -10

exit

!

router rip

network 10.60.1.0

redistribute static route-map REDISTRIBUTE_STATIC

exit

!

crypto ipsec security-association lifetime kilobytes 530000000

crypto ipsec security-association lifetime second 14400

crypto ipsec transform-set VPN_1 esp-3des esp-sha-hmac

mode transport

exit

!

crypto map TUNNEL 10 ipsec-isakmp

set peer 10.4.9.82

set transform-set VPN_1

match address 100

!

crypto ipsec profile OER

set transform-set VPN_1

exit

crypto map TUNNEL local-address Ethernet 0/0

!

crypto isakmp key 0 CISCO address 10.4.9.82 no-xauth

crypto isakmp keepalive 10

crypto isakmp policy 1

encryption 3des

authentication pre-share

exit

!

interface Ethernet0/0

ip address 10.4.9.15 255.255.255.0

crypto map TUNNEL

exit

!

interface Tunnel0

ip address 10.100.2.2 255.255.0.0

keepalive 30 5

bandwidth 500

bandwidth inherit

tunnel mode gre ip

tunnel source 10.4.9.15

tunnel destination 10.4.9.82

tunnel protection ipsec profile OER

end

VPN B Configuration: Internal Peers

The following example shows a Routing Information Protocol (RIP) routing process created to establish peering with the border routers and internal peers:

router rip

network 10.60.1.0

end

Where to Go Next

This document describes a specific implementation of OER and presumes that you are familiar with the OER technology. If you want to review more information about OER, proceed to the Cisco IOS Optimized Edge Routing Overview module, followed by the Setting Up OER Network Components module. To learn more about the other OER phases, read through the other modules in the following list:

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.3(11)T or a later releaseappear in the table.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.